Metrofile recently convened a half-day conference on ‘Best practices in document and records compliance’. Held on 2 April at the Sandton Convention Centre in Sandton, the seminar highlighted key world and South African trends in document and records compliance and examined their impact on the local business environment. And eSecure was there. A vibrant, energetic and educational session, well attended by more than 300 delegates. And for those readers who were unable to attend, we have put together the following Executive Overview for you.
In recent issues of eSecure, Paul Mullon, marketing director of Metrofile has highlighted the complexity of effective document management, suggesting that whilst managing corporate records is a process often associated with filing pieces of paper alphabetically or saving electronic data onto a backup tape, add electronic records into the equation and record management becomes even more important.
Says Mullon, 'The best practices in document and records compliance' seminar was convened to help companies understand the severe implications of non-compliance with the requirements of legislation in South Africa, regarding storage and retrieval of information. Equally importantly, it addressed ways to get additional value from critical business records."
Speakers at the seminar, advocate Willem Heath, Reinhardt Buys and Mullon himself, addressed the dilemma of what to save, where to save it, and how to save it. But before delving into some of the key issues raised by the trio, the key question we need to ask ourselves is I guess, simply this ... "Just how important is records management in today's world, a world sensitive to corporate governance breaches, and driven in no small measure by legislative changes battling to keep abreast of a rapidly changing business infrastructure?"
The short answer is, it is pretty important, and getting more so all the time. A recent news item caught my eye, and aptly illustrates the point. Anglo American has been asked to provide documents relating to its treatment of black employees under apartheid by Holocaust lawyer, Ed Fagan. Fagan has demanded Anglo provide documents, including pay records and documents on conditions of work, at short notice. Very short notice. If I am not mistaken Anglo was given hours, if not days, to provide the requested information. "It is imperative that any evidence Anglo has is located and preserved," Fagan said. "The minute that Anglo became aware of the specific identities of these people the evidence was potentially put in jeopardy." So, the reality is that records management matters.
Why records management matters
Reinhardt Buys, an attorney specialising in the ECT Act, kicked off the seminar by painting a picture for the audience of what he termed to be 'game-changing' trends, highlighting new laws that force a business to retain certain documents. It is an interesting analogy 'game-changing', for as with all games, there are players, playing fields, rules, tips, best practices, referees. But what happens if the game really does change? What happens if the rules change, the players do different things, unexpected things, and the essence of fair play is compromised?
As Buys suggested when he introduced his subject, there is no one law called 'The Document Management Law' but there are numerous individual laws and regulations which apply to document management, either general laws or industry-specific laws.
General laws include the Companies Act, Financial Intelligence Centre Act, Financial Advisory and Intermediary Services Act, Close Corporations Act, The Income Tax Act, VAT Act, Customs and Excise, Stamp Duties Act, Prescription Act, Insolvency Act, Promotion of Access to Information Act, various labour laws and numerous other smaller legal requirements.
Industry-specific document management laws apply typically to vertical markets, such as Health, Mining, Import and Export, Financial Services and Professional Services such as attorneys, doctors and auditors.
Buys highlighted some of the implications of these legislative requirements, including the duties and penalties associated with breach of duty. For example, the Financial Intelligence Centre Act outlines clearly the duty of businesses to keep records of business relationships and transactions (Sections 22-27), states which institutions are accountable (Schedule 1), and highlights the penalties for non-compliance to the legislation (up to R10 million or 10 years - Section 68).
Duty to act
But rather than focus our attention on the penalties for non-compliance, a simple question needs to be asked. Does a company have a general duty to ensure good document management? According to Buys, the answer to this question is a resounding YES. He suggested that The Companies Act (Section 424) as well as the King II Report essentially underpin this notion of a corporate duty to act responsibly. Said Buys, "Clearly there are risks of non-compliance, quite apart from the threat of criminal prosecution (fines and imprisonment), such as potential reputational harm to a company, the destruction (malicious or inadvertent) of electronic records through employee negligence, viruses and malicious code, or even third party hacks.
"So," said Buys, "Does a company have a duty to prevent virus and hacker attacks, and are they liable for damages that could follow?"
Yes. Company directors and managers have a duty to take 'all reasonable steps' to prevent attacks and limit possible damages. The grounds? Local precedent-setting court cases, Section 424 of The Companies Act and the King II Report.
Buys suggested that all companies should have a well structured document management policy. This policy should govern company-wide compliance, inform and educate employees, and provide companies with a legal leg to stand on when violators of policy need to be disciplined. Says Buys, "A good document management policy will address issues such as which documents need to be retained; for how long; who is the responsible person; should records be archived in paper or electronic format? What is the architecture of electronic archive? Adherence to ECT Act requirements (Meta Tags); and security and access policies amongst others.
"Do not wait around," said Buys. "Do it today. Make sure your business has a sound document management policy, IT security policy and a well-considered document management checklist."
Advocate Willem Heath, of Heath Specialist Consultants but perhaps most famous for convening the Heath Special Investigation Unit's inquiry into government corruption, maladministration, fraud, theft and misappropriation of state assets, discussed the implications of the King II Report on Corporate Governance, and focused on its recommendations for storage, access and availability of business records.
"Corporate governance is a simple practice if you practice it in practice," said Heath, suggesting that whilst there is an inherent complacency in business generally regarding ethical behaviour, the importance of ethics in business cannot be understated. Heath asked the audience if anyone believed that their business was intentionally operating in a criminally negligent fashion ... and then with a wry smile on his face, he noted that by being ignorant of what the law requires we are de facto committing a crime.
He said, "Your practice with regard to document management is probably illegal. Non-compliance in document management security is a weak point in your application of sound corporate governance."
All companies have documents in paper or electronic format. The secure availability of these documents is enforced by the law, and yet it is becoming nigh on impossible to keep up with the extraordinary growth of company documentation. "But," said Heath, "the security of documentation is the responsibility of all management and directors or companies who practice or strive to practice good corporate governance."
Businesses therefore need to become equipped to be legally compliant and adhere to sound governance principles. Added Heath, "The ECT Act, read with the King II Report is essential for being compliant to document management standards. But it is not just a question of implementing, but of applying an habitual process as part of day-to-day operations. Ignoring the importance of document management can be construed as irresponsible and reckless management."
Heath maintains that good corporate governance dictates that management take corporate responsibility for their companies by evaluating their risks and preventing risk in order to be as profitable as possible and therefore promote the interests of shareholders. Directors and management play an important role in establishing best practice standards within their companies with due regard to management of employees, managing assets, managing of reputation, and very importantly managing 'information'. Concluded Heath, "Strong leadership is paramount. The board determines the objectives of the company, and the members of the board are the custodians of the company's assets and reputation. The board members have a fiduciary responsibility not to conduct the affairs of the company recklessly and to adequately assess the company's risk.
"The board needs to promote a culture of honesty, enterprise and initiative, with each member of the board allocated a specific responsibility or portfolio. Directors then need to jointly or individually consult professional advice, which is objective and independent. The board should be transparent and demand transparency in the rest of the company. Of course organised records promote this principle."
Make proper use of experts with facilities to cater for proper document management. And become involved in sophisticated methods of being compliant with the law and good governance stipulations.
In concluding the seminar, Paul Mullon suggested that in "establishing a total records strategy, business essentially has two choices. It can choose to comply for compliance's sake. Or it can choose to add value by embracing the problem, and developing a comprehensive, holistic records strategy."
Said Mullon, "As a business decision maker, one can choose not to comply and risk the consequences. Alternatively, one may opt for minimum compliance, which can be a costly and painful process even at the best of times. Or one can embrace and seek the opportunity for competitive advantage and good governance that best practices in document and records compliance implies."
The question is, what are you doing about it?
For more information contact Metrofile, 021 380 8991, Heath Specialist Consultants, 021 910 2251 or Buys Incorporated, 021 461 7387.